tagline: From openSUSE
- 1 About
- 2 Configuration
- 3 Features
- 4 Further reading
SuSEfirewall2 is basically a script that generates iptables rules from configuration stored in the /etc/sysconfig/SuSEfirewall2 file. SuSEfirewall2 protects you from network attacks by rejecting or dropping some unwanted packets that reach your network interface.
For more advanced configurations, firewall offers three different zones to which you can assign your network interface. This enables SuSEfirewall2 to act also as a network router between three different networks or rather a LAN server that provides masquerading to the Internet (or other network).
+---------------------+ | every Firewall Zone | +----------+----------+ | +--> [ Has assigned Network interfaces ] | +--> [ Has defines Allowed Services ]
To configure a SuSEfirewall2 either
- edit /etc/sysconfig/SuSEfirewall2 file manually and call
Please note, the current YaST_Firewall does not show nor let you configure all settings of the firewall. This includes at least reject configuration (at least one activated by default).
Although SuSEfirewall2 has many features, YaST can't obviously configure all of them. Configuration file itself provides all needed documentation for every single feature.
If a particular variable allows to assign more entries, they are separated by space.
FW_VARIABLE="value1 value2 value3,with,more,parameters"
SuSEfirewall2 has three different zones by default:
- EXT - External Zone (ie untrusted, Internet)
- INT - Internal Zone (fully trusted, no filtering, LAN)
- DMZ - Demilitarized Zone (for servers that should be reachable from the Internet)
Network interface can be assigned to zones by adding the interface name to the of the FW_DEV_zone variables where zone is one of the configured zones.
FW_DEV_EXT="dsl0" FW_DEV_EXT="any wlan0" FW_DEV_INT="eth0 wlan1"
The special string any can be used to tell SuSEfirewall to assign all interfaces that are not listed anywhere to the specified zone. By default all unassigned interfaces are automatically assigned to the external zone.
The variable FW_ZONES can be used to define additional zones. For example, if you don't want the restrictive filtering of the external zone in your WLAN, but also don't fully trust the WLAN so you can't use the internal zone, you could define a new zone:
Allowing Access to Services
Every firewall zone can allow four types of services
- TCP - FW_SERVICES_EXT_TCP, FW_SERVICES_INT_TCP, FW_SERVICES_DMZ_TCP
- UDP - FW_SERVICES_EXT_UDP, FW_SERVICES_INT_UDP, FW_SERVICES_DMZ_UDP
- RPC - FW_SERVICES_EXT_RPC, FW_SERVICES_INT_RPC, FW_SERVICES_DMZ_RPC
- IP - FW_SERVICES_EXT_IP, FW_SERVICES_INT_IP, FW_SERVICES_DMZ_IP
TCP and UDP services can be entered by the port number, port name (current assignment can be found in /etc/services file on your system) or a port range defined as two port numbers with a colon inbetween.
FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514" FW_SERVICES_EXT_UDP="631 400:405"
Alternatively packages may provide a configuration file that describes which ports need to be opened to run a specific service, see SuSEfirewall2/Service_Definitions_Added_via_Packages. Using this method is especially convenient if a service needs multiple ports.
More Restricted Access to Services
The above mentioned way to allow access to services is not very restrictive, it allows or it does not allow. There is parameter that can be set to allow more restrictive access to a service. However the above definitions of allowed services take precedence over the definitions mentioned below when the same port is used. These are:
- FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT, FW_SERVICES_ACCEPT_DMZ
For each service these parameters take 4 positional parameters and additional keyword parameters, also called flags.
So the format is a space separated list of net,protocol[,dport[,sport[,flags]]]
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22" # This 0.0.0.0/0 restricts access via IPv4 only
Supported flags are:
hitcount=NUMBER: ipt_recent --hitcount parameter
blockseconds=NUMBER: ipt_recent --seconds parameter
recentname=NAME: ipt_recent --name parameter
# Allow max three ssh connects per minute from the same IP address somewhere in the Internet: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" # This 0/0 allows access via both IPv4 and IPv6
- Allow the network on the internal interface full access to the net.
- Allow the DMZ network full access to the net.
Forwarding to Masqueraded Hosts
HTB - Tuning Maximum Upload Speed
Internet Protocol version 6 (IPv6) configuration has the following items:
- IPv6 support - FW_IPv6 (yes/no)
- IPv6 outgoing configuration - FW_IPv6_REJECT_OUTGOING ([yes]/no/drop)
- FW_IPv6 defaults to the ipv6 support by the Kernel when the option is empty.
- FW_IPv6_REJECT_OUTGOING default configuration is yes (rejecting).
To allow forwarding from a IPv6 subnet behind SuSEfirewall2 set FW_FORWARD="[your IPv6 prefix]/64,2000::/3"
- SuSEfirewall2 does not support all its features on IPv6.
- List of non-working keywords:
- ... (Feel free to add more)
Please see /usr/share/doc/packages/SuSEfirewall2/ content, from SuSEfirewall2 package.